reCAPTCHA

Catching bots with Google reCaptcha v3?

https://developers.google.com/recaptcha/docs/v3

eCAPTCHA v3 returns a score for each request without user friction.

That is, if this is an API, each request must contain a captcha token from the Google service.
Which in turn is received and validated before each request

The score is based on interactions with your site and enables you to take an appropriate action for your site.

I.e:

1. the user went to the page
   
2. send a recaptcha request to get a token for the current session
   
3. having received the token, we send a request to the server to validate the token
   
4. on the server accept the token
   
5. send again to google service token for validation with a secret application token
   
6. waiting for an answer
   
7. having received a response, we validate whether we allow the request to be made
   
8. return json response
   
9. on ui we look at what the server answered
   
10. if the validation is successful, we send a request to get data for the page (this can be many requests)
    
11. after the expiration, 2 minutes, of the token, we repeat everything from scratch, we check how much the user behaves suspiciously
    

It is worth adding here that for each request that we want to protect with captcha, that is, all requests, pages, then before each request, all actions must also be repeated.
For example, the user went to the main page

grecaptcha.execute('_reCAPTCHA_site_key_', {action: 'homepage'}).then(function(token) {

The user wants to submit a login form that is in the popup on the main page

grecaptcha.execute('_reCAPTCHA_site_key_', {action: 'homepage_login'}).then(function(token) {

The user now wants to download more data or go to the second page of content

grecaptcha.execute('_reCAPTCHA_site_key_', {action: 'homepage_load_more'}).then(function(token) {
    grecaptcha.execute('_reCAPTCHA_site_key_', {action: 'homepage_page_2'}).then(function(token) {
...

It says here that

reCAPTCHA v3 will never interrupt your users, so you can run it whenever you like without affecting conversion.

But such validations are serious delays, instead of 0.3 sec, all 2-3 sec.

reCAPTCHA works best when it has the most context about interactions with your site, which comes from seeing both legitimate and abusive behavior. For this reason, we recommend including reCAPTCHA verification on forms or actions as well as in the background of pages for analytics.

That is, for each action where the user clicks something, as mentioned, the transition to the page, submitting the form, and so on.
The only option is to do all these requests asynchronously. Content upload + suspicion validation.
All this is to catch bots on the site.